Fix update execution message discarded. refs #8616

[mcodato]

Hi, this is our proposal for fixes #8616

Configuration for test

/etc/icinga2/conf.d/test.conf
Use this configuration on master, satellite and agent

object Host "satellite" {
    address = "127.0.0.1"
    check_command = "hostalive"
    zone = "satellite"
    vars.ls_dir = "/tmp/host"
    enable_active_checks = false
}

object Host "agent" {
    address = "127.0.0.1"
    check_command = "hostalive"
    zone = "satellite"
    vars.ls_dir = "/tmp/host"
    enable_active_checks = false
}

object Host "master" {
    address = "127.0.0.1"
    check_command = "hostalive"
}

object CheckCommand "custom_command" {
    command = [ "/usr/bin/ls", "$ls_dir$" ]
    zone = "global-commands"
}

Master

/etc/icinga2/zones.conf

object Zone "global-commands" {
    global = true
}

object Zone "global-templates" {
    global = true
}

object Zone "director-global" {
    global = true
}

object Endpoint "master" {
}

object Zone "master" {
    endpoints = [ "master" ]
}

object Endpoint "satellite" {
}

object Zone "satellite" {
    endpoints = [ "satellite" ]
    parent = "master"
}

object Endpoint "agent" {
    log_duration = 0s
}

object Zone "agent" {
    endpoints = [ "agent" ]
    parent = "satellite"
}

Satellite

/etc/icinga2/zones.conf

object Zone "global-commands" {
  global = true
}

object Zone "global-templates" {
    global = true
}

object Zone "director-global" {
    global = true
}

object Endpoint "master" {
    host = "127.0.0.1"
    port = "5665"
}

object Zone "master" {
    endpoints = [ "master" ]
}

object Endpoint "satellite" {
}

object Zone "satellite" {
    endpoints = [ "satellite" ]
    parent = "master"
}

object Endpoint "agent" {
    host = "127.0.0.1"
    port = "5663"
    log_duration = 0s
}

object Zone "agent" {
    endpoints = [ "agent" ]
    parent = "satellite"
}

Agent

/etc/icinga2/zones.conf

object Zone "global-commands" {
    global = true
}

object Endpoint "satellite" {
    host = "127.0.0.1"
    port = "5664"
}

object Zone "satellite" {
    endpoints = [ "satellite" ]
}

object Endpoint "agent" {
}

object Zone "agent" {
    endpoints = [ "agent" ]
    parent = "satellite"
}

object Zone "global-templates" {
    global = true
}

object Zone "director-global" {
    global = true
}

Test before the fix

Request

curl -k -sS -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Host", "host": "agent", "ttl":"60", "endpoint": "agent", "macros": { "ls_dir":"/tmp/foo" }, "command": "custom_command", "command_type": "CheckCommand" }'

Response

{"results":[{"checkable":"agent","code":202.0,"execution":"beca0a2c-a99d-4804-90a3-9bd7e142b302","status":"Accepted"}]}

Execution status

"beca0a2c-a99d-4804-90a3-9bd7e142b302" = {
    deadline = 1612800769.001815
    pending = true
}

Master logs

[2021-02-08 17:11:49 +0100] notice/ApiListener: New HTTP client
[2021-02-08 17:11:49 +0100] debug/HttpUtility: Request body: '{"type":"Host", "host": "agent", "ttl":"60", "endpoint": "agent", "macros": { "ls_dir":"/tmp/foo" }, "command": "custom_command", "command_type": "CheckCommand" }'
[2021-02-08 17:11:49 +0100] notice/ApiActionHandler: Running action execute-command
[2021-02-08 17:11:49 +0100] notice/ApiListener: Relaying 'event::UpdateExecutions' message
[2021-02-08 17:11:49 +0100] notice/ApiListener: Sending message 'event::UpdateExecutions' to 'satellite'
[2021-02-08 17:11:49 +0100] notice/ApiListener: Relaying 'event::ExecuteCommand' message
[2021-02-08 17:11:49 +0100] notice/ApiListener: Sending message 'event::ExecuteCommand' to 'satellite'
>> {"jsonrpc":"2.0","method":"event::UpdateExecutions","params":{"executions":{"beca0a2c-a99d-4804-90a3-9bd7e142b302":{"deadline":1612800769.001815,"pending":true}},"host":"agent"},"ts":1612800709.00188}
[2021-02-08 17:11:49 +0100] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [::1]:37268), user: root, agent: curl/7.71.1, status: Accepted).
>> {"jsonrpc":"2.0","method":"event::ExecuteCommand","params":{"command":"custom_command","command_type":"check_command","deadline":1612800769.001815,"endpoint":"agent","host":"agent","macros":{"ls_dir":"/tmp/foo"},"source":"beca0a2c-a99d-4804-90a3-9bd7e142b302"},"ts":1612800709.001983}
[2021-02-08 17:11:49 +0100] information/HttpServerConnection: HTTP client disconnected (from [::1]:37268)

Satellite logs

[2021-02-08 17:11:49 +0100] notice/JsonRpcConnection: Received 'event::UpdateExecutions' message from identity 'master'.
[2021-02-08 17:11:49 +0100] notice/ApiListener: Relaying 'event::UpdateExecutions' message
<< {"jsonrpc":"2.0","method":"event::ExecuteCommand","params":{"command":"custom_command","command_type":"check_command","deadline":1612800769.001815,"endpoint":"agent","host":"agent","macros":{"ls_dir":"/tmp/foo"},"source":"beca0a2c-a99d-4804-90a3-9bd7e142b302"},"ts":1612800709.001983}
[2021-02-08 17:11:49 +0100] notice/JsonRpcConnection: Received 'event::ExecuteCommand' message from identity 'master'.
[2021-02-08 17:11:49 +0100] notice/ApiListener: Relaying 'event::ExecuteCommand' message
[2021-02-08 17:11:49 +0100] notice/ApiListener: Sending message 'event::ExecuteCommand' to 'agent'
>> {"jsonrpc":"2.0","method":"event::ExecuteCommand","originZone":"master","params":{"command":"custom_command","command_type":"check_command","deadline":1612800769.001815,"endpoint":"agent","host":"agent","macros":{"ls_dir":"/tmp/foo"},"source":"beca0a2c-a99d-4804-90a3-9bd7e142b302"},"ts":1612800709.002931}
<< {"jsonrpc":"2.0","method":"event::ExecutedCommand","params":{"end":1612800709.006358,"execution":"beca0a2c-a99d-4804-90a3-9bd7e142b302","exit":2.0,"host":"agent","output":"/usr/bin/ls: cannot access '/tmp/foo': No such file or directory\n","start":1612800709.003923}}
[2021-02-08 17:11:49 +0100] notice/JsonRpcConnection: Received 'event::ExecutedCommand' message from identity 'agent'.
[2021-02-08 17:11:49 +0100] notice/ClusterEvents: Discarding 'update executions API handler' message for checkable 'agent' from 'agent': Unauthorized access.

Agent logs

[2021-02-08 17:11:49 +0100] notice/JsonRpcConnection: Received 'event::UpdateExecutions' message from identity 'master'.
[2021-02-08 17:11:49 +0100] notice/ApiListener: Relaying 'event::UpdateExecutions' message
<< {"jsonrpc":"2.0","method":"event::ExecuteCommand","params":{"command":"custom_command","command_type":"check_command","deadline":1612800769.001815,"endpoint":"agent","host":"agent","macros":{"ls_dir":"/tmp/foo"},"source":"beca0a2c-a99d-4804-90a3-9bd7e142b302"},"ts":1612800709.001983}
[2021-02-08 17:11:49 +0100] notice/JsonRpcConnection: Received 'event::ExecuteCommand' message from identity 'master'.
[2021-02-08 17:11:49 +0100] notice/ApiListener: Relaying 'event::ExecuteCommand' message
[2021-02-08 17:11:49 +0100] notice/ApiListener: Sending message 'event::ExecuteCommand' to 'agent'
>> {"jsonrpc":"2.0","method":"event::ExecuteCommand","originZone":"master","params":{"command":"custom_command","command_type":"check_command","deadline":1612800769.001815,"endpoint":"agent","host":"agent","macros":{"ls_dir":"/tmp/foo"},"source":"beca0a2c-a99d-4804-90a3-9bd7e142b302"},"ts":1612800709.002931}
<< {"jsonrpc":"2.0","method":"event::ExecutedCommand","params":{"end":1612800709.006358,"execution":"beca0a2c-a99d-4804-90a3-9bd7e142b302","exit":2.0,"host":"agent","output":"/usr/bin/ls: cannot access '/tmp/foo': No such file or directory\n","start":1612800709.003923}}
[2021-02-08 17:11:49 +0100] notice/JsonRpcConnection: Received 'event::ExecutedCommand' message from identity 'agent'.
[2021-02-08 17:11:49 +0100] notice/ClusterEvents: Discarding 'update executions API handler' message for checkable 'agent' from 'agent': Unauthorized access.

Test with the fix

Request

curl -k -sS -u root:admin -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/execute-command' -d '{"type":"Host", "host": "agent", "ttl":"60", "endpoint": "agent", "macros": { "ls_dir":"/tmp/foo" }, "command": "custom_command", "command_type": "CheckCommand" }'

Response

{"results":[{"checkable":"agent","code":202.0,"execution":"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e","status":"Accepted"}]}

Exectuion status*

"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e" = {
		deadline = 1612801142.086969
		end = 1612801082.090901
		exit = 2.000000
		output = "/usr/bin/ls: cannot access '/tmp/foo': No such file or directory\n"
		start = 1612801082.088762
	}

Master logs

[2021-02-08 17:18:02 +0100] notice/ApiListener: New HTTP client
[2021-02-08 17:18:02 +0100] debug/HttpUtility: Request body: '{"type":"Host", "host": "agent", "ttl":"60", "endpoint": "agent", "macros": { "ls_dir":"/tmp/foo" }, "command": "custom_command", "command_type": "CheckCommand" }'
[2021-02-08 17:18:02 +0100] notice/ApiActionHandler: Running action execute-command
[2021-02-08 17:18:02 +0100] notice/ApiListener: Relaying 'event::UpdateExecutions' message
[2021-02-08 17:18:02 +0100] notice/ApiListener: Sending message 'event::UpdateExecutions' to 'satellite'
[2021-02-08 17:18:02 +0100] notice/ApiListener: Relaying 'event::ExecuteCommand' message
[2021-02-08 17:18:02 +0100] notice/ApiListener: Sending message 'event::ExecuteCommand' to 'satellite'
[2021-02-08 17:18:02 +0100] information/HttpServerConnection: Request: POST /v1/actions/execute-command (from [::1]:38370), user: root, agent: curl/7.71.1, status: Accepted).
>> {"jsonrpc":"2.0","method":"event::UpdateExecutions","params":{"executions":{"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e":{"deadline":1612801142.086969,"pending":true}},"host":"agent"},"ts":1612801082.087048}
>> {"jsonrpc":"2.0","method":"event::ExecuteCommand","params":{"command":"custom_command","command_type":"check_command","deadline":1612801142.086969,"endpoint":"agent","host":"agent","macros":{"ls_dir":"/tmp/foo"},"source":"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e"},"ts":1612801082.087107}
[2021-02-08 17:18:02 +0100] information/HttpServerConnection: HTTP client disconnected (from [::1]:38370)
<< {"jsonrpc":"2.0","method":"event::UpdateExecutions","params":{"executions":{"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e":{"deadline":1612801142.086969,"end":1612801082.090901,"exit":2.0,"output":"/usr/bin/ls: cannot access '/tmp/foo': No such file or directory\n","start":1612801082.088762}},"host":"agent"},"ts":1612801082.091564}
[2021-02-08 17:18:02 +0100] notice/JsonRpcConnection: Received 'event::UpdateExecutions' message from identity 'satellite'.
[2021-02-08 17:18:02 +0100] notice/ApiListener: Relaying 'event::UpdateExecutions' message

Satellite logs

<< {"jsonrpc":"2.0","method":"event::UpdateExecutions","params":{"executions":{"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e":{"deadline":1612801142.086969,"pending":true}},"host":"agent"},"ts":1612801082.087048}
[2021-02-08 17:18:02 +0100] notice/JsonRpcConnection: Received 'event::UpdateExecutions' message from identity 'master'.
[2021-02-08 17:18:02 +0100] notice/ApiListener: Relaying 'event::UpdateExecutions' message
<< {"jsonrpc":"2.0","method":"event::ExecuteCommand","params":{"command":"custom_command","command_type":"check_command","deadline":1612801142.086969,"endpoint":"agent","host":"agent","macros":{"ls_dir":"/tmp/foo"},"source":"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e"},"ts":1612801082.087107}
[2021-02-08 17:18:02 +0100] notice/JsonRpcConnection: Received 'event::ExecuteCommand' message from identity 'master'.
[2021-02-08 17:18:02 +0100] notice/ApiListener: Relaying 'event::ExecuteCommand' message
[2021-02-08 17:18:02 +0100] notice/ApiListener: Sending message 'event::ExecuteCommand' to 'agent'
>> {"jsonrpc":"2.0","method":"event::ExecuteCommand","originZone":"master","params":{"command":"custom_command","command_type":"check_command","deadline":1612801142.086969,"endpoint":"agent","host":"agent","macros":{"ls_dir":"/tmp/foo"},"source":"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e"},"ts":1612801082.087914}
<< {"jsonrpc":"2.0","method":"event::ExecutedCommand","params":{"end":1612801082.090901,"execution":"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e","exit":2.0,"host":"agent","output":"/usr/bin/ls: cannot access '/tmp/foo': No such file or directory\n","start":1612801082.088762}}
[2021-02-08 17:18:02 +0100] notice/JsonRpcConnection: Received 'event::ExecutedCommand' message from identity 'agent'.
[2021-02-08 17:18:02 +0100] notice/ApiListener: Relaying 'event::UpdateExecutions' message
[2021-02-08 17:18:02 +0100] notice/ApiListener: Sending message 'event::UpdateExecutions' to 'master'
>> {"jsonrpc":"2.0","method":"event::UpdateExecutions","params":{"executions":{"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e":{"deadline":1612801142.086969,"end":1612801082.090901,"exit":2.0,"output":"/usr/bin/ls: cannot access '/tmp/foo': No such file or directory\n","start":1612801082.088762}},"host":"agent"},"ts":1612801082.091564}

Aagent logs

<< {"jsonrpc":"2.0","method":"event::ExecuteCommand","originZone":"master","params":{"command":"custom_command","command_type":"check_command","deadline":1612801142.086969,"endpoint":"agent","host":"agent","macros":{"ls_dir":"/tmp/foo"},"source":"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e"},"ts":1612801082.087914}
[2021-02-08 17:18:02 +0100] notice/JsonRpcConnection: Received 'event::ExecuteCommand' message from identity 'satellite'.
[2021-02-08 17:18:02 +0100] notice/Process: Running command '/usr/bin/ls' '/tmp/foo': PID 1367365
[2021-02-08 17:18:02 +0100] notice/Process: PID 1367365 ('/usr/bin/ls' '/tmp/foo') terminated with exit code 2
[2021-02-08 17:18:02 +0100] notice/ApiListener: Sending message 'event::ExecutedCommand' to 'satellite'
>> {"jsonrpc":"2.0","method":"event::ExecutedCommand","params":{"end":1612801082.090901,"execution":"ce72a2a5-6237-41fe-a21b-a896d2fa1c5e","exit":2.0,"host":"agent","output":"/usr/bin/ls: cannot access '/tmp/foo': No such file or directory\n","start":1612801082.088762}}

[Al2Klimov]

Colleagues, any security objections?

[julianbrost]

Let me try to summarize to see if I understand correctly:

In order to schedule the execute a command on another node, this command has to be sent from a parent node to be accepted. This command references some config object which is then asynchronously updated with the result. However, this update performs a different permission check: the object must be accessible from the zone that sends the update. You can execute the command on any object though.

So a possible workaround should be to create a dummy host/service that is in the zone of the endpoint executing the command.

This PR would now introduce a new relationship between endpoint and host objects if they share the same name, allowing this update nonetheless. An alternative to this could probably be to store the command endpoint with the pending execution result and use this for update permission checks.

[mcodato]

Hi @julianbrost, thanks for your feedback, we like the idea of storing the command endpoint in the execution object and we have implemented it. It can be tested with the same test above.

[Al2Klimov]

Please squash your commits.

[julianbrost]

Seems like I've overlooked something when suggesting to change the permission check in this way: The permission check would be fine, but the object on which the execution is updated won't exist on intermediate satellites, so this won't help. This would be a general problem when decoupling the execution endpoint from the object's zone completely.

Endpoint names in the following examples refer to this cluster structure:

       m
      / \
     /   \
    /     \
  s-1     s-2
   |       |
   |       |
  a-1    s-2-1
           |
           |
          a-2

So in the most extreme case, the API would currently accept a command for the host object a-1 which is in zone s-1 (so a-1 is a command endpoint) to be executed on endpoint a-2. Executing this should be fine, however the result would never make it back as s-2 and s-2-1 don't know about the a-1 host object at all. The same would also happen if the object was in zone m or s-2, then s-2-1 still wouldn't be aware of it.

This could be fixed but would need major changes in how the results are returned (would have to be forwarded up the cluster without relying on any local objects). But I think this isn't even a use-case that you'd need but you only have this discrepancy in the object's zone because you're using the command endpoint feature.

So I see two possibilities how this could be fixed without completely overthrowing how the feature works:

1. Restricting the endpoint parameter of the /v1/actions/execute-command API to those values, where we could currently execute and retrieve the result. That is the object's zone, all its parent zones and any direct child of a aforementioned zone. In this example, for an object in zone s-2-1, checks could be executed on m, s-2, s-2-1, a-2 and s-1 (but not a-1). For me this feels like a quite arbitrary restriction from a user's perspective.
2. Removing the endpoint parameter from the /v1/actions/execute-command API and always using the command_endpoint, i.e. the current default. This would mean that the check is always executed where it would be if it was scheduled normally. This sounds like a reasonable restriction to me, but there's one caveat: if command_endpoint is only used for services but not the host itself, for example to perform a ping check from the satellite, executing on the host object would also execute the command on the satellite and you'd have to execute on a service object to execute on the actual host.

So please let me know what you think about this and which options would fit your needs so that we can figure out together how to proceed.

[mcodato]

Hi @julianbrost sorry for the delay,
We believe the first proposal is the most appropriate for our use case.
We have implemented it, please let us know if this is correct

[julianbrost]

Hi @julianbrost sorry for the delay,

Well, I think I can't complain about that and have to say sorry for the delayed review myself.

[julianbrost]

@cla-bot check

[Al2Klimov]

C'mon Julian, you've even not resolved your threads not to mention not approved.

[Al2Klimov]

Describe the big picture. Then vs. now. At best with diagrams. The can be hand drawn and photographed if you don't wanna deal with digital tools.

[Al2Klimov]

Also consider splitting your commit into multiple ones which successively lead from then to now. E.g. see commits here:

• Improve performance of Icinga 2 API commands processed in bulk icingadb-web#721

There's already enough information in the description and comment history.

[Al2Klimov]

Apropos, I consider zoneA->CanAccessObject(zoneB) kinda confusing. Doesn’t this -according to CanAccessObject() code- query for a child/parent relationship?

[mcodato]

Instead of
origin->FromZone->CanAccessObject(command_endpoint->GetZone())
is it better to use
command_endpoint->GetZone()->isChildOf(origin->FromZone) ?

[Al2Klimov]

If this is what you wanna check for, yes. IMAO it's more descriptive. But let's Julian cross-check first..

[julianbrost]

This is the return path for the response. The request was sent to the endpoint command_endpoint so this is supposed to check whether the response is coming from (directly or indirectly) that endpoint. That should be checked by both variants but with IsChildOf() that might be a bit more obvious (especially given that CanAccessObject() would also do GetZone() internally, but that wouldn't do the same, greetings to #8740).

[julianbrost]

LGTM now.

@Al2Klimov Do you want to have another look at this before merging? The change is basically storing the execution endpoint in the slot for the result (where the deadline is already stored for example) and then changes to the message forwarding and related permission checks to actually make it work.

[Al2Klimov]

OK this makes sense to me...

[Al2Klimov]

So far so good...

[Al2Klimov]

LGTM

[Al2Klimov]

The only problem I see are messages from the own zone, but then -I guess- !!origin->FromZone wouldn’t be true. (JsonRpcConnection::MessageHandler())

[Al2Klimov]

Huh? nullptr, nullptr? Not...

[julianbrost]

To be honest, I haven't put much thought into these parameters here as the existing event::ExecutedCommand message already used the same ones.

However, are you sure about origin? This is sending a response that originates here, so with the origin of the incoming message, that might prevent the response from being sent back.

[mcodato]

From what I tested, I agree with Julian, using origin, checkable the message is not sent back and the execution remains in the pending state

	"a9086343-4da7-44ae-8fd6-5f16641cbd5e" = {
		deadline = 1681388550.850034
		endpoint = "agent"
		pending = true
	}

[Al2Klimov]

Oops. 😅 🐘

[Al2Klimov]

... origin, checkable? Not even origin? Please explain.

[Al2Klimov]

A bit of indentation...

[Al2Klimov]

... wouldn’t hurt.

[Al2Klimov]

Just to be clear: I asked you for splitting commits by things of what you changed since master (which you did by now). IMAO this doesn’t contradict my previous squash request which targeted fixes of the changeset itself. Apropos: Please squash not everything, but just the indentation fixes into the respective commit(s?) the misindentation comes from. So you get two commits again, but both of them w/o misindentation – and you're finally (😅) done.

[Al2Klimov]

Make it so!

[julianbrost]

Only whitespace changes since my last review, so that one is pretty much still valid.